Daily Brief

A novel vulnerability, known as Terrapin, impacts the SSH protocol, allowing potential man-in-the-middle attacks to compromise connection security. Security researchers from Germany's Ruhr University Bochum have described the attack method and shared their findings after responsibly disclosing it to affected developers. Patches and workarounds have been issued to mitigate the threat posed by Terrapin, with updated software versions available for users to install. The underlying flaw involves the negotiation of encryption during SSH handshake, where a well-positioned adversary can inject 'ignore' messages to manipulate sequence counters. Affected SSH client AsyncSSH patched in versions 2.14.1 and 2.14.2, addressing both the generic and client-specific CVEs linked to the Terrapin vulnerability. The overall risk is mitigated by the requirement of an active man-in-the-middle attacker and specific exploitable encryption modes, with advice to disable vulnerable modes and prioritize non-vulnerable algorithms like AES-GCM. OpenSSH, one of the most widely-used SSH clients, released version 9.6 to address the vulnerability with a strict key exchange protocol, while other clients like Putty have also been updated.

A new Go-based malware, JaskaGO, targeting both Windows and macOS systems, has been identified by AT&T Alien Labs. JaskaGO can evade detection by checking if it's running in a virtual machine and then performing benign actions like pinging Google. The malware is capable of stealing information, modifying the clipboard to hijack cryptocurrency transactions, and downloading additional malicious payloads. Specifically on macOS, JaskaGO can gain root permissions, disable security features, and ensure persistence through system reboots. The distribution method of JaskaGO is not yet known, nor is the extent of the infection campaign. The emergence of JaskaGO is part of a larger trend of cybercriminals favoring the Go language due to its simplicity and cross-platform support.

Interpol's Operation HAECHI IV, with cooperation from 34 countries, has led to the arrest of 3,500 people linked to various cyber-enabled financial crimes. The operation focused on a range of illegal activities including voice phishing, romance scams, sextortion, fraudulent investments, online gambling, business email compromise, and e-commerce fraud. A considerable portion of the offenses were related to business email compromise, e-commerce fraud, and investment scams. Two Purple Notices were issued by Interpol, which provided insights on criminals' techniques, such as the use of AI for identity concealment in scams and a "rug pull" scheme involving non-fungible tokens (NFTs). South Korean and Filipino authorities successfully captured a notable online gambling criminal after a prolonged tracking operation. The enforcement action impeded financial transactions, freezing over 82,000 suspicious bank accounts and confiscating around $199 million in physical currency and $101 million in digital assets. The results of Operation HAECHI IV represent a substantial increase in arrests and seized assets compared to previous efforts, with a 200% rise in apprehensions.

Comcast's Xfinity service suffered a data breach impacting over 35 million user IDs due to the exploitation of the Citrix Bleed vulnerability. Personal information, including hashed passwords, usernames, contact details, and security question answers, were likely compromised in the cyberattack. The Citrix Bleed flaw was disclosed and patched on October 10, but by late October, widespread exploitation by ransomware groups was reported. Comcast identified and patched the vulnerable Citrix systems and noted unauthorized access between October 16 and October 19, 2023. Comcast alerted federal law enforcement and started an investigation which confirmed the likelihood of data acquisition on November 16. The stolen data potentially includes sensitive details like social security numbers, dates of birth, and contact information for some customers. Xfinity is now urging customers to reset their passwords and enable two-factor or multi-factor authentication as a security measure.

A malware campaign utilizing JavaScript web injections has targeted over 50,000 users of 40 banks worldwide, aiming to steal banking data. The malicious activity was detected by IBM's security team, noting that attack preparations began in December 2022 with domain registrations. Attackers have been injecting scripts to manipulate webpage content and intercept login credentials and OTPs, enabling unauthorized access to banking accounts. The infection process could involve methods like malvertising or phishing, with the subsequent stealthy injection of a script tag from an external server to evade detection. The malware mimics legitimate JavaScript content delivery networks to avoid raising red flags, conducting dynamic behavior adjustments based on server instructions. IBM's research suggests there may be connections between this campaign and DanaBot, a known banking trojan that has been active since 2018. IBM warns that the campaign is ongoing and highlights the need for increased caution when accessing online banking portals and apps.

Microsoft's security researchers identified four vulnerabilities in Perforce Helix Core Server, with one classified as a critical remote code execution (RCE) flaw. The Perforce Server is vital to many sectors including gaming, government, and tech, where secure source code management is crucial. All vulnerabilities can be remediated by upgrading to Perforce version 2023.1/2513900; appropriate patches were released in November. The most severe vulnerability, CVE-2023-45849, allows an unauthenticated remote attacker to execute code with LocalSystem privileges, potentially leading to data theft and further network compromise. Microsoft's team points out that while the vulnerabilities have not been exploited in the wild, the critical RCE presents significant risks if not addressed. Attackers could exploit these vulnerabilities to perform denial-of-service attacks and execute arbitrary code without user authentication. Microsoft emphasizes the importance of basic security practices such as patching software and network segmentation and recommends following Perforce's security guidelines for server hardening.

The ALPHV/BlackCat ransomware gang has amassed over $300 million in ransom payments from more than 1,000 victims globally by September 2023, according to the FBI. The majority of the affected entities are in the United States, with approximately 250 incidents reported outside the U.S. In collaboration with CISA, the FBI has offered guidance on mitigating the threat, including prioritizing the patching of exploited vulnerabilities and enforcing multi-factor authentication. The FBI and CISA recommend regular software updates, patching, and vulnerability assessments as a part of security best practices. ALPHV, believed to be a rebrand of DarkSide and BlackMatter, has been active since November 2021 and was involved in a high-profile attack on Colonial Pipeline. The FBI infiltrated ALPHV's operations, gained decryption keys, and helped at least 500 victims recover files, preventing approximately $68 million in ransoms from being paid. A seizure and subsequent "unseizing" of the ALPHV data leak site by both the FBI and the ransomware gang has led other cybercrime groups to invite ALPHV's affiliates to their operations.

An international law enforcement collaboration, "Operation HAECHI IV," has resulted in the arrest of 3,500 suspects linked to cybercrimes and the seizure of $300 million in criminal proceeds. The operation was conducted between July and December 2023, with South Korean authorities spearheading it alongside agencies from 34 other countries, including the US, UK, Japan, Hong Kong, and India. Targeted crimes included voice phishing, romance scams, sextortion, investment fraud, illegal online gambling, business email compromise, and e-commerce fraud, among others. Interpol's I-GRIP system helped identify and freeze over 82,000 bank accounts associated with these cybercrimes across the participating nations. Seized assets comprised traditional currency and digital assets like NFTs, with a notable arrest of an elusive online gambling criminal in Manila. The latest cyber fraud trends observed from the operation involved digital investment fraud and NFT platform "rug pulls," as well as the use of AI and deep fake technologies for impersonation and scams. Operation HAECHI IV marks a significant increase in success compared to the previous "HAECHI III" operation, with over 260% more arrests and a significant increase in seized funds.

The FBI successfully seized the servers of the BlackCat (ALPHV) ransomware gang, assisted by a confidential human source. Backed by a federal search warrant, the FBI infiltrated the ransomware backend, obtaining crucial information on their operations. The agency accessed decryption keys and created a tool that has helped more than 400 victims recover their data free of charge. Details on exactly how the decryption keys were obtained are not provided, leading to speculation about possible FBI exploitation of system vulnerabilities. The FBI collected 946 key pairs relating to the gang's Tor-based communication, leak sites, and management panels, giving them control over these URLs. This is the third successful operation against ransomware groups by the FBI, hinting at an effective tactic now in use against cybercriminal infrastructure. The ALPHV/BlackCat ransomware group is expected to potentially shut down and rebrand following this significant law enforcement disruption.

Academic researchers have identified the Terrapin attack, which degrades the integrity of SSH channels by meddling with sequence numbers during the handshake. The attack affects widely used encryption modes in OpenSSH, allowing attackers to alter or remove messages in the communication channel. The vulnerability can lead to downgraded public key algorithms and weakened defenses against keystroke timing attacks in OpenSSH 9.5. Designated CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446, these flaws require attackers to be in a position to intercept network communications and are specifically related to ChaCha20-Poly1305 and CBC with Encrypt-then-MAC encryption modes. Researchers observed a 77% adoption of the vulnerable encryption modes, implying a significant real-world impact of the Terrapin attack. Remediation includes implementing a strict key exchange; however, it must be adopted by both clients and servers to be fully effective. A vulnerability scanner for the Terrapin attack has been published on GitHub, enabling administrators to assess susceptibility to this threat. Despite the risks, the necessity for attackers to achieve a MitM position reduces the overall threat severity, leading some to deprioritize patches for CVE-2023-48795.

U.S. Justice Department announces disruption of BlackCat ransomware operations. A free decryption tool released for victims to recover files encrypted by BlackCat malware. The FBI infiltrated the gang through a confidential human source posing as an affiliate. BlackCat, known for being the first Rust-language ransomware, emerged as a major threat since December 2021. The disruption prevented ransom demands totaling approximately $68 million and provided insights into the ransomware's network. Over 946 key pairs used in the ransomware's TOR sites were collected, aiding in their dismantlement. BlackCat utilized a ransomware-as-a-service business model and engaged in double extortion tactics. The cybercrime group is responsible for invading over 1,000 networks worldwide, amassing substantial illegal profits.

Cybersecurity researchers from PRODAFT have detailed the operations of a ransomware empire led by Russian national Mikhail Pavlovich Matveev. Matveev, known by multiple aliases including Wazawaka, is linked to the LockBit, Babuk, and Hive ransomware strains. He has been indicted by the U.S. for initiating thousands of ransomware attacks worldwide, often employing aggressive tactics, including threats and dishonesty. Matveev worked with a team of six and had affiliations with various notorious cybercrime groups, including a management role in the Babuk group. The team used sophisticated methods to breach networks, including information gathering through Zoominfo and exploiting known vulnerabilities, with a preference for MeshCentral as their Remote Monitoring and Management tool. The investigation has revealed Matveev's connections to Evgeniy Mikhailovich Bogachev, linked to the GameOver Zeus botnet and Evil Corp. Matveev and his team exhibited a lack of ethical practices, frequently refusing to release files even after victims complied with ransom demands.

The US Justice Department has provided a decryptor to over 500 victims of the AlphV/BlackCat ransomware, potentially preventing $68 million in ransom payments. US Attorney Markenzy Lapointe, with support from FBI Miami, the US Secret Service, and international partners, highlighted the effort against sophisticated cybercriminals. Following a collaborative operation with the UK, Australia, and Europol, AlphV/BlackCat's old leak site was seized and defaced with an FBI notice. The disruption action has resulted in the ransomware group shifting their servers and leak blog; their resilience and operational status remain uncertain. Despite the takedown, AlphV's most recent victim list remains active, leading to questions about the full impact of the law enforcement's disruption campaign. The historical downtime and seizure of AlphV's platforms combined with the availability of the decryptor could signify the end for AlphV under its current name, although experts believe the group may rebrand and resurface. A National Crime Agency spokesperson emphasized the threat of ransomware and the importance of reporting and protecting against such attacks, pointing to NCSC.gov.uk for advice.

The FBI infiltrated the servers of the ALPHV, also known as BlackCat, ransomware operation to monitor its activities. During the operation, the FBI collected decryption keys and provided them to over 500 victims to prevent ransom payments. An official decryption tool has been created by the FBI to assist other impacted parties in file recovery without cost. ALPHV's infrastructure compromise by law enforcement has reduced trust among the ransomware's affiliates. Following the disruption, some affiliates resorted to direct email communication with victims, avoiding the gang's infrastructure. Rival ransomware operation LockBit has attempted to recruit affected affiliates of ALPHV. Over the years, this ransomware operation has been breached multiple times by law enforcement under various names such as DarkSide and BlackMatter. The repeated disruption by law enforcement may prompt the ransomware gang to rebrand once again under a new identity.

Threat actors are using GitHub to host malware and control compromised systems. GitHub secret Gists and git commit messages are being abused to issue malicious commands. Malicious network traffic is disguised as legitimate, complicating detection by standard security tools. Public services are being misused as dead drop resolvers for command-and-control server addresses. Secret Gists are not listed on the author's profile, making them an attractive tool for hackers. Identified malicious PyPI packages relied on encoded URLs in secret gists for delivering commands. Commit messages within git repositories also used for command execution, demonstrating advanced tactics. Fraudulent packages using these techniques have been removed from the Python Package Index (PyPI).